Authorization header. There is no session or token layer — each request re-authenticates independently.
Authorization Header Format
- The literal prefix
Basic(case-sensitive, with a trailing space). - Your
clientIdandclientSecretjoined by a single colon (:), then base64-encoded.
Example
Given these credentials:
The base64 of
atUkltkq:xn-v4JVKYJxC5v8UgxVvwoBbQ-k_GvkgZFUXJgle3Ow is YXRVa2x0a3E6eG4tdjRKVktZSnhDNXY4VWd4VnZ3b0JiUS1rX0d2a2daRlVYSmdsZTNPdw==, so the header you send is:
- curl
- Python
- JavaScript
Error Responses
Any authentication failure returns HTTP401. The table below maps each failure cause to its error message:
Treat every
401 as terminal for that request. Retry only after fixing the header or credentials — do not retry an invalid request blindly.
Practical Checklist
1
Use HTTPS
HTTPS is required to protect credentials in transit.
2
Send the header on every request
There is no session or token reuse. Every request must include the
Authorization header.3
Base64-encode the credentials
Concatenate
clientId:clientSecret with a colon separator, then base64-encode the result. Send that encoded string after Basic .4
Obtain a REST Order Entry API key
Your API key must have the REST Order Entry scope. See Creating a Starbase API Key for steps.
Next Steps
Creating a Starbase API Key
Generate credentials with the REST Order Entry scope
Placing a New Order
Submit your first order via the REST Order Gateway
Rate Limits
Per-gateway rate limit rules for REST requests
Gateway Connectivity
Gateway addresses, ports, and connection rules